GDPR: the right to be forgotten

The EU’s General Data Protection Regulation (GDPR), effective May 25, 2018, regulates how businesses can collect and process the personal data of EU citizens. Any business—even one based outside the EU—that has EU users must be in compliance with the GDPR. The regulation affords EU citizens certain rights over their personal data, for example:

  • The right to access: upon request, the business must send the user a digital copy of their processed personal data
  • The right to be forgotten: the business must delete all the personal data they have on an EU citizen upon request

In accordance with article 17 of the GDPR, you must notify Adjust when a user has exercised their right to to be forgotten. You can inform Adjust of a user’s decision through a call to our GDPR API endpoint or using the Adjust SDK. 

Once Adjust has been notified: 

  • we will permanently delete all of the user’s historical personal data from our internal system;
  • we will no longer receive the user’s information from the Adjust SDK; and
  • the device’s data will no longer appear anywhere in Adjust.

Requirements for GDPR API integration, instructions for Adjust SDK configuration, and server callback setup can be found below.

Please exercise extreme caution when testing the API endpoint or SDK method using a personal device ID. When Adjust is notified of a user’s request to be forgotten, the subsequent process is permanent and cannot be reversed. Adjust will never be able to reinstate the device’s data or receive requests from that device for any reason.

Adjust SDK requirements

To notify Adjust of a user’s request to be forgotten through the Adjust SDK, you first need to download and set up the Adjust SDK for your platform. Follow the instructions linked below to get started.

⚙️  This feature requires Adjust SDK v4.13 and later.

Once you have the Adjust SDK installed and configured, follow the guides linked below to use this feature:

📖 iOS / Android / Windows / Adobe Air / Unity / Cordova / Marmalade / Xamarin / Cocos2d-x / React Native / Titanium / Corona

GDPR API reference

Adjust offers a GDPR API to enable you to action RTBF requests from your server. Adjust immediately clears all data related to a device when you call it. To get started, check out the GDPR API reference.

How do I receive right-to-be-forgotten activity from Adjust

When Adjust receives a request to be forgotten, you can be notified via Adjust’s server callbacks and our Amazon S3 bucket integration. 

Enter a callback URL for the erased users (GDPR) server callback or include the erased users (GDPR) event type in your Amazon S3 cloud storage upload. If you want to receive right-to-be-forgotten information through your global callback, make sure you include the {activity_kind} placeholder, which will be filled with gdpr_forget_device when the callback is fired for a right-to-be-forgotten request.